Tuesday, October 21, 2014

State Responsibility in the Cyber Commons: Deepening
the India-US Relationship

MAHIMA KAUL

Two
countries which share so many common values―democracy, rule of law, freedom of
expression, liberty, multiculturalism, freedom of religion―have not yet been
able to operationalise a strategic partnership that would define the 21st
century. That ‘big idea’, which could form the basis for the next phase of the
US-India relationship, has seemed elusive. Strategic thinker C. Raja Mohan
suggested in 2010 that this need not be the case, and the basis of this
partnership could be protection of the global commons―the oceans, air, outer
space and cyberspace. In the backdrop of the instability of these commons, and
the growing pressure on the US’s ability to secure these spaces, Raja Mohan
maintained that since free flow of information and trade across the global
commons is vital for both economies, India could serve as a natural ally for
the US.[1] Admittedly, this is not an easy task, especially in
the cyber domain. Misapprehensions about US dominance, its capabilities and
intent as revealed by the Edward Snowden disclosures, cast a shadow over common
areas of interest. Yet, both countries seem to understand there is much to be
gained from closer collaboration, especially given the increasing intensity of
threats to their digital boundaries and the state’s responsibility for
controlling the proliferation of such activities.

Globally, accusations citing cyber attacks from across borders are
becoming increasingly common. In fact, many countries which have been vocal
about being victims of cyber attacks, have been at times perpetrators
themselves. For example, the United States, which in May 2014, indicted members of the Chinese military for engaging
in acts of hacking and spying on US businesses and entities, has itself been
accused of launching the virus Stuxnet in 2010 (in collaboration with Israel)
on Iran’s nuclear centrifuges, destroying one-fifth of them. And in turn, Iran
has been accused of ‘non-stop cyber attacks’ on major computer systems in
Israel.[2]There
is also the 2014 case of Russian hackers attacking US bank J.P. Morgan and
stealing sensitive data to sell in the global black market. Some analysts
suggest that these actions are in retaliation to Western economic sanctions
against Russia. Therefore some common, global
understanding of the rules of state behaviour in cyberspace is needed.

Currently, under Article 51 of the UN Charter, states,
individually or collectively, have the right to defend themselves against an
‘armed attack’ in cyberspace.[3]
There is much work being done in the area of international law to understand
the terms ‘armed act,’ ‘acts of aggression’ and ‘force’ when they relate to the
cyber world, as there is no international consensus on the issue. As witnessed
in the US case, acts of espionage (which have been attributed to a state, in
this case China) fall short of a cyber attack, but are still considered to have
significant consequences on the economy. Under these circumstances, and others
that have preceded it, the global conversation has been veering towards
chalking out rules of cyberspace.

Two schools of thought have emerged. The first is a solution put
forward by China, Russia and a few other countries: have an international code
of conduct with a view to protecting information security. This has been
formalised in the Eurasian grouping called the Shanghai Cooperation
Organisation (SCO). The members are China, Russia, Uzbekistan and Tajikistan,
among others. India has observer status
at the SCO and is up for full membership. Their 2009 Yekaterinburg
Declaration stated: “The SCO member states stress the significance of the issue
of ensuring international information security as one of the key elements of
the common system of international security.” In 2013, Russia and China submitted
an ‘International Code of Conduct for Information Security’ to the UN.[4] The code dwells on information security in a few
parts, including “…curbing the dissemination of information that incites
terrorism, secessionism or extremism or that undermines other countries’
political, economic and social stability, as well as their spiritual and
cultural environment.”

This is the point of departure for many other nations,
which are less concerned with ‘information security,’ often seen as
securitisation of free speech. Instead, they prefer to focus on ‘network
security’―that is, keeping the critical resources that keep cyberspace
functioning, protected. This is also the stated point of view of the US. To
that end, some experts have pointed out that countries should share, to some
extent, their military doctrines on how they will use cyber techniques for
offensive purposes to achieve international stability in cyberspace.[5]

This also leads to the very pertinent question of what
constitutes an act of war in cyberspace. Here, an argument has been made for
the international community to set ‘norms’, to shape behaviour and limit
conflict in cyberspace. This view has been worked on at the United Nation’s
Group of Governmental Experts meetings, and has included the US and its NATO
allies, India and even China. The report of the third meeting of the GGE in
June 2013 concluded that “international
law and in particular the United Nations Charter, is applicable and is
essential to maintaining peace and stability and promoting an open, secure,
peaceful and accessible ICT environment.”[6] The non-binding exercise seeks to derive norms from
existing laws. It also says that states must meet their international
obligations regarding wrongful acts attributable to them. States must not use
proxies to commit internationally wrongful acts. States should seek to ensure
that their territories are not used by non-state actors for unlawful use of
information and communications technologies (ICTs).

Presently, the Tallinn Manual, produced by the NATO in 2013, seeks to
examine how existing international norms apply to cyber ‘warfare’. It states in
Rule 11 that “a cyber operation constitutes a use of force when its scale and
effects are comparable to non-cyber operations rising to the level of a use of
force.” These operations are to be measured taking into account a variety of
factors: severity, immediacy, directness, invasiveness, measurability of
effects, military character of the cyber operation, the extent of state
involvement, and presumptive legality.[7]

However,
some experts have criticised its narrow view of state responsibility, saying
that it gives the initiative to attackers, sending the message that huge
numbers of cyber-intrusions are possible with impunity.The question they ask is
whether this encourages cyber-aggressive states to push the envelope[8]. The growing concern is understandably protection of
their critical infrastructure, which is vulnerable to cyber attacks from all
quarters. This is a concern for the US and India alike.

The reality is that even if digital forensics could trace the
origin of a cyber attack, it can be extremely difficult to get states to even
acknowledge there is non-state activity emanating from their territories.
Indian security experts feel that in some cases, there will be a genuine lack of capacity to control
cyber events on one’s soil; in other cases, some states could deliberately
build ambiguity to mask their role. Another
question worth considering is whether the state is complicit in a cyber attack,
either by financial or other forms of assistance.

Offline, India’s
own experience with Pakistan, while trying to control international terrorism,
has not been very positive. The
country maintains plausible deniability about its support to terror groups
operating in Afghanistan and India, and the international system has been
unable to compel Pakistan to change its behaviour.[9]
Add to this scenario a statement made by
India’s Minister for Communications and Information Technology to the Indian
Parliament in July 2014: cyber attacks on India originate in the UAE, Europe,
Brazil, Turkey, China, Pakistan, Bangladesh, Algeria and the US.[10]

The
question then, for India and the US, is how the global governance regime can
induce other states to reduce threats from within their borders. Norms that
constrain cyber attacks is one strategy. This is also where their ‘big idea’―of
protecting the cyber commons―could, in part, be met with another strategy.
Closer cooperation for technological solutions will complement the political
solutions. Knowledge exchanges between their Computer Emergency Response Teams
(CERTs), war games, educational, scientific and research cooperation, and other
safeguards could help build formidable digital borders that rogue states and
groups would not want to risk infiltrating.

Cooperation
also includes strengthening the India-US Counter Terrorism Initiative,
established in 2009, which is continuing through India-US strategic dialogue
meets. However, there are some bottlenecks that need to be ironed out. As was
visible in the investigations that followed the horrific November 2008 terror
attacks, fissures can crop up between intelligence agencies of the two
countries. At first, Indian intelligence agencies cried foul saying the US had
not shared information about terrorist David Headley with them. Later, India’s
limited access to Headley revealed how much these information exchanges are
susceptible to sovereign immunities. Both countries need to make a definite
push to fix national legislation in order to share data about terrorist
activities, unhindered by domestic laws. This is essential to safeguard the
growing digital partnership.

Closer
cooperation on digital forensics―and identifying the source of attacks―would,
in the longer term, help simplify the application of international law in
cyberspace. It would also provide a much-needed deterrent to states indulging
in economic espionage and cyber crimes. A framework of cooperation is the order
of the day to keep the networks both countries so heavily rely on stable and
secure.

[1]
C Raja Mohan, “India, the United States and the Global Commons.” Centre for a
New American Security. October 2010, at
http://www.cnas.org/files/documents/publications/CNAS_IndiatheUnitedStatesandtheGlobalCommons_Mohan.pdf.

[6]
Report of the Group of Governmental Experts on Development in the Field of
Information and Telecommunication in the Context of International Security,
submitted to the UN General Assembly 68th Session, June 24, 2013.

[8]
Peter Margulies, “Sovreignity and Cyber Attacks: Technology’s Challenge to the
Law of State Responsibility,” 2013, Melbourne Journal of International Law,
Volume 14, University of Melbourne, at
http://www.law.unimelb.edu.au/files/dmfile/05Margulies-Depaginated.pdf

Thursday, October 02, 2014

Governments around the world seem to be straddling the dichotomy the
internet has brought into our lives: the endless possibilities of
innovation, commerce, expression, big data, along with the challenges of
cyber crime, security, disinformation and surveillance. The weight
given to each of these outlooks ends up determining a governments
approach towards internet governance. And since global internet
governance itself is distributed across various foras, governments are
free to change their strategy to suit their outlook, depending on the
topic being discussed. The same government might approach the management
of critical resources with a strict nationalistic outlook, yet look to
forge agreements on cyber crime bilaterally, create norms of state
behavior multilaterally, and discuss human rights and free expression
via a multistakeholder process. This is also the reason that democracies
need not necessarily agree on global governance mechanisms even if they
converge on values.

It must be kept in mind that the internet has fundamentally changed
over the years. Its potential to cross barriers and serve as a platform
for the free exchange of goods and knowledge remains immense, and some
of those who have seen the development of the internet from its
inception are fighting bitterly to keep it such. But, the reality is
that is not quite the version of the internet that many new users
experience. They have inherited an internet fraught with crime such as
hate speech and cyber bullying, it is an internet where net neutrality
is being threatened in the very country that created it, an online world
where big corporations are pushing stringent intellectual property
regimes and where ‘free trade’ over the internet seems to be a well
crafted narrative to promote the supremacy of US companies. Navigating
these waters, for people and governments alike, can be complex.
Currently, the US dominates the global internet governance
architecture and pushes a multistakeholder system that banks on the
participation and maturity of all stakeholders. Countries like India,
tiptoeing into many of these foras, do not share the same enthusiasm for
these governance mechanisms. The vast majority of Indian citizens are
not yet online. In fact, the Indian government is most concerned about
the current management structure of critical internet resources, the
uncoordinated national approaches to determine cyber jurisdiction over
transactions that span multiple territories, and ensuring universal
access through affordable (and secure) devices. With this background, it
can be understood why the world’s most diverse democracy has resisted
“multistakeholderism” as a global governance mechanism, a system
inherently democratic in its description, but not yet suited to its
objectives.

Yet, for a people famously called argumentative by Nobel laureate
Amartya Sen, Indians have been curiously lacking in explanations about
these particular decisions. The international press, confused by the
government of India’s contrarian views, simplistically bunches it along
with authoritarian countries who oppose the US’s global governance
framework.